(b) For the procurement of electronic tickets at the start of a journey and the invoicing of these tickets after the journey has ended in accordance with the Be-in/Be-out principle (hereinafter "Walk-In"), the special "Walk-In” provisions according to Section 9 shall apply.
2. Processing of personal data
2.1. Personal data obtained
(a) In connection with the use of certain website and app services, SOB and/or the service providers engaged by it (system, distribution and logistics partners) shall obtain the following personal data of the customer:
(i) The master data, which is to be entered during registration, shall include, as a minimum, the forenames, surnames, email address and date of birth of the customer, as well as information regarding the registered payment method. The customer can voluntarily enter more master data (such as work or home location). If fan items are ordered, additional delivery and invoice addresses must be entered.
(ii) The purchasing data provides information about which services or products the customer purchased and when.
(iii) The movement data (Walk-In data or location tracking) allows a customer’s journey to be tracked. Movement data is only recorded if the customer gives his permission to do so.
(iv) The usage data provides information about the date and time that the webshop or the app is called up, the pages visited, the IP address, device ID and type, language settings, volume of data transferred, as well as product and version information for the operating system and browser used by the customer’s end device.
(b) The inspection data shows a time and a section of the route in which a customer actually used a purchased ticket, because it was recorded in the context of an inspection. SOB has no access to the inspection data.
(c) If personal data of third parties is disclosed to SOB (e.g. when recording other passengers), the customer is responsible for ensuring that the people in question give their consent and that the details are correct.
2.2. Purpose of the data processing
(a) SOB processes the personal data of the customer for the following purposes:
(i) For the implementation of the contract, namely to issue electronic tickets and to send out any fan items ordered.
(ii) Unless the customer refuses it: for general advertising targeted at the customer in connection with the services and fan items offered in the webshop and via the app.
(iii) Unless the customer refuses it: for personalized advertising targeted at the customer, namely in the form of additional offers for services that are tailored to the planned journey or location of the customer.
(iv) Provided the customer agrees: for the personalized optimization of the user experience, in which the journey and price determination are tailored each time to the travel preferences and the profile of the customer formed by purchasing and movement data.
(b) The movement and usage data shall be further analyzed on an anonymous and aggregate basis for the ongoing optimization of the webshop, the app and the services and fan items offered there.
(c) The personal data of the customer will only be passed on to third parties if and to the extent that this is necessary for the performance and optimization of the services offered, a credit assessment, concluding a contract with a third-party provider facilitated by SOB or for order and payment processing. Companies associated with SOB (group companies) do not count as third parties.
2.3. Storage of the personal data
(a) The storage period of the personal data of the customer shall be as follows:
(i) Master data: until the customer deletes their profile, but at the earliest 6 months after the last journey is concluded.
(ii) Purchasing data: at least 6 months after conclusion of the journey; if the customer accepts personalization options: until the customer deletes their profile.
(iii) Movement data: until the customer deletes their profile (subject to the customer’s agreement to the recording of their movement data).
(iv) Usage data: until the customer deletes their profile.
3. Data security
(a) SOB shall ensure appropriate data security in accordance with the provisions of the law.
(b) SOB shall secure the webshop and the app in particular to a reasonable extent by means of technical and organizational measures against loss, deletion, access, alteration or dissemination of the customer’s data by unauthorized persons.
(a) SOB uses "cookies". These are small text files, which are sent from the corresponding web server to the user’s browser the first time they visit the website and are saved on the user’s device or in the cache of the user’s internet browser. In this way, the web server is able to recognize whether the browser has already visited the website in question.
(b) The data collected with the help of cookies is used by SOB to improve their services and for the anonymized analysis of usage data.
(c) The customer is able to adjust the browser in such a way that cookies are not stored on the hard disk and to delete cookies that have already been stored on the end device. However, in this case the customer may not be able to use all webshop or app functions to their full extent.
5. Google Analytics
(b) The customer is able to prevent the cookies from being stored by adjusting their browser software accordingly. Furthermore, the customer can prevent the data generated by the cookies from being recorded as well as the processing of this data by Google, by downloading and installing the browser plug-in available at the following link: tools.google.com/dlpage/gaoptout.
6. Use of social plug-ins
(a) SOB uses social plug-ins ("plug-ins") of various social networks. The plug-ins feature the logo of the corresponding social network.
(b) If the customer accesses a website containing plug-ins, the browser creates a direct link with the servers of the corresponding social network. The content of the plug-ins is submitted from the social network in question directly to the browser, from where it is integrated into the website. Through the integration of the plug-ins, the social network is informed that the device used by the customer has called up the website.
(c) If the customer is logged in to the social network in question, it can assign the visit to the account of the customer with the social network in question. If the customer interacts with the plug-ins, for example by clicking “like” on Facebook or by submitting a comment, the corresponding information will be transferred directly to the social network in question, where it will be saved.
(d) The purpose and scope of the data collection and the further processing and use of the data by the social network in question as well as the relevant rights and configuration options to protect the customer’s privacy are derived from the privacy policies of the social network in question.
7. Owner of data file
(a) The owner of the data file shall be Schweizerische Südostbahn AG.
8. Right of access and rectification
(a) In accordance with statutory regulations, the customer shall be entitled to access and/or rectify their stored personal data. Requests for access or rectification must be made in writing or by email and sent along with a copy of an ID document to:
Schweizerische Südostbahn AG
9001 St. Gallen, Switzerland
9. Walk-In / Swipe-In - special provisions
(a) When the customer activates Walk-In, he agrees that his presence in the vehicle will be recorded by means of beacons as soon as he uses a vehicle equipped for Walk-In. The recording ends when he leaves the signal radius of the vehicle.
(b) When the customer activates Swipe-In (Check-In), he agrees that his exact location will be recorded by GPS (global positioning system) and WPS (Wi-Fi positioning system) until he stops the recording by checking out at the end of the journey.
(c) The recorded data will be used for travel and pricing purposes.
(d) Data regarding the customer's movements will be kept for 6 months after the end of the trip. If the customer agrees to personalization options, his movement data will be saved until he deletes his profile.
(e) If and insofar as this Clause 9 does not contain any special provisions, the data protection provisions shall apply.